OpenSSF Security Metrics Initiative

Nicola Tuveri nic.tuv at gmail.com
Tue May 4 10:06:58 UTC 2021


Hi,

I wanted to point out to the OMC and to openssl-project a new
initiative from the [Open Source Security Foundation](www.openssf.org): the
Security Metrics Initiative.

A more detailed description is available at <
https://openssf.org/blog/2021/05/03/introducing-the-security-metrics-project/
>.
It should be remarked that the <metrics.openssf.org> service is to be
considered alpha, and that changes in the API, in data sources might occur
at this stage, and that there might be inaccuracies in the reported data.

Here is a direct link to what the initiative reports for the OpenSSL
project:
<
https://metrics.openssf.org/grafana/d/default/metric-dashboard?orgId=1&var-PackageURL=pkg%3Agithub/openssl/openssl
>.

In particular it seems we score quite low on the OpenSSF Scorecard (30.8%
as I am writing this mail) and, also for the data coming from the OpenSSF
Best Practices Badge Program, it looks like the project has many negative
marks.

It should also be noted that the description field in the project
information for `github:/openssl/openssl` reports:

> This is a historical badge entry for the OpenSSL project before the
Heartbleed vulnerability was reported, circa February 2014. Please note
that the OpenSSL project's status has changed substantially since then. For
the current state of OpenSSL, see the current OpenSSL badge entry. [...]

So maybe it is not too alarming that many of the negative marks are coming
from unexpected entries: e.g. it seems at the moment it reports we don't
have/use static/dynamic analysis, we don't have vulnerability reporting,
code review, CI Tests or Pull Requests.

Nonetheless given this tool might soon be used to pick among alternatives
when making critical infrastructure design choices, or affect funding
decisions or resource planning, it might be a good thing for the OMC to get
proactive and reach out to straighten the record for current OpenSSL
releases, to offer suggestions on alternative metrics to be considered, on
redefining criteria for existing metrics, and possibly incorporate feedback
from the Security Metrics initiative to adapt plans regarding future
roadmap for OpenSSL.

I finish reporting in this email the last paragraph from the Security
Metrics Initiative announcement, as it might be of interest for all
subscribers to openssl-project:

> Your [feedback](https://github.com/ossf/Project-Security-Metrics/issues)
is most welcome, and if you're interested in learning more or joining this
effort, please reach out to [Michael Scovetta](mailto://
michael.scovetta at microsoft.com) or join us at our next [working group](
https://github.com/ossf/wg-identifying-security-threats) meeting.



Best regards,

Nicola Tuveri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-project/attachments/20210504/5e7899ec/attachment.html>


More information about the openssl-project mailing list